A cyberattack earlier this year on JD Sports affected up to 10 million customers. This followed Moncler making the headlines at the beginning of 2022 after a ransomware attack was successful against its systems. The leaked data included information about employees, suppliers, business partners and customers.
Guess was also on the receiving end of a hack in the summer of 2021 and Chanel suffered a similar fate with its South Korean operation.
In the UK, when hacks occur the Information Commissioner’s Office (ICO) expects companies to deal with them proactively and ensure that serious breaches are resolved effectively. We set out how fashion companies can do this.
Fashion brands are a gold mine for data that can be exploited. Hackers target clients’ personal information; their financial information and their operations and systems. This is all readily available, especially when brands have online shops.
Hackers can do this through a data breach – which is a targeted attack to secure log ins, where they obtain information; ransomware – where access to files or systems are blocked until a ransom fee is paid; or denial of service attacks – where a system or server is flooded with targeted requests, preventing legitimate requests from being fulfilled.
Good defence is best when it comes to cyber-security. In order to protect your data and brand, it is important to carry out an assessment of the strengths and weaknesses of your current cyber-security framework.
A brand should look at:
The ICO will expect a brand to do the following if it finds itself the victim of a cyberattack.
When providing details to affected individuals, a brand needs to inform them, in clear language, of the nature of the breach and what personal data was affected. They should also be provided with details of the relevant contact point or the details of the brand’s data protection officer (DPO).
It is recommended that individuals are provided with information on how the brand will assist them going forward and any actions they can take to protect themselves. ICO guidance outlines that this may include: Forcing a password reset; advising individuals to use strong, unique passwords; and telling them to look out for phishing emails or fraudulent activity on their accounts.
If after a risk assessment, the brand has decided that a notification to the ICO is not necessary, it is still highly advisable that the company records information about the breach and actions taken in response. If the ICO decides that an investigation is necessary, the company may be asked to justify the decisions it made.
Adequate and appropriate handling of data breaches is crucial, not only to ensure that customer personal data is protected, but also to avoid the ire of the regulators. By way of example, in the US Shein was handed a USD1.9m fine by the State of New York, for its handling of a data breach that occurred in 2018. The UK’s ICO is likely to enforce comparable penalties where they consider an organisation’s response was not sufficient.
If a report to the ICO is necessary, then it is important that the following information is captured:
If you find yourself on the receiving end of a cyberattack, it is important to be as prepared as possible. Planning in advance is ideal, and is likely to include contingency measures. However, as it may be difficult to plan for all eventualities, the following best practices will also limit what can be hacked:
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.